A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #10792  by rootkitreader
 Wed Jan 04, 2012 3:59 pm
Hi,

I would like to start thread on best practises for unpacking rootkits.
Currently I'm trying to look at code of Mayachok.2 vbr rootkit.
My problem is how to unpack all parts of this rootkit. I mean get mbr, vbr and so on..
I'm not interested in taking unpacked code :)

~~~~~~~~
thanks!
~~~~~~~~
 #10798  by EP_X0FF
 Wed Jan 04, 2012 5:33 pm
rootkitreader wrote:Myabe some good tools would be helpful?!
WinHex.
 #10803  by rootkitreader
 Wed Jan 04, 2012 6:55 pm
EP_XOFF
thank you for your fast response.
Well I have question about WinHex is this tool (sorry I didn't downloaded it yet) user-mode or it is usermode and kernel-mode?
I'm asking about it because I'm wondering if it will always give you good look of mbr even if rootkit is hooked some functions so that it will return 'good' sectors always?
I've read that sinowal was doing this trick
 #10813  by EP_X0FF
 Thu Jan 05, 2012 4:01 am
It is handy user mode hex/disk/ram editor. For your task - Cidox - it is more than enough. Open disk and copy $Boot file for active partition, that is Cidox VBR. If you asking about universal solution for all known and possible new bootkits - such does not exists. Infect machine with bootkit and mount this infected HDD image/disk and then work with it with WinHex. If you need to debug MBR -> Bochs + IDA Pro is your friends.
 #10850  by rootkitreader
 Fri Jan 06, 2012 12:36 am
EP_XOFF!
Thank you so much for your tip here.

Well it seems that it is too hard for me since IDA (currently I'm using free edition) does not recognize the type of file and this make analysis of the code harder because code is not automatically disassembled.
I would appreciate if anyone could share with me already analysed/fully properly disassembled code of this $Boot file.
I'm posting my file to this thread.. ;(


~~~~~~~~
thanks!
~~~~~~~~
Attachments
this is $Boot file taken after infection
(4.03 KiB) Downloaded 38 times
 #10858  by rootkitreader
 Fri Jan 06, 2012 8:20 am
EP_XOFF!
Again I need to thank you for your help.
This link is really useful, but my problem is I want to understant code of bootkit and I have a $Boot file, but I don't have enough skill to simply properly disassembly this (Ida is treatnig this as sequence of bytes) and I need to deassembly this manually, which is very difficult to me, so if anybody could give me this code it could be great. I would like to know what exactly this bootkit code is doing, where is backuped original code, what kind of interrupts are hooked and so on...
Sorry, I understand that my expectations are maybe very big for this forum, but I know that here is so many big specialists that have done it many times...

~~~~~~~~
thanks!
~~~~~~~~
 #10860  by EP_X0FF
 Fri Jan 06, 2012 8:21 am
Open in IDA. Select boot code block - press Analyze selected area.